Add CRLDistributionPoints to leaf certificate

A standard letsencrypt leaf certificate has an OCSPServer field but no CRLDistributionPoints field. The CRLDistributionPoints field is given in the intermediate certificate (issuer of leaf certificate). That makes it difficult to verify the CRL, because the CRL is signed by the issuer of the intermediate certificate which isn’t present in the certificate chain.

Feature request: add CRLDistributionPoints to leaf certificate

A typical cert chain makes it clear:

CERTIFICATE DETAILS ...
SignatureAlgorithm       : SHA256-RSA
PublicKeyAlgorithm       : RSA
Version                  : 3
SerialNumber             : 299760584395680137105513467069717201743597
Subject                  : CN=www.freizeitkarte-osm.de
Issuer                   : CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
NotBefore                : 2019-09-12 22:18:26 +0000 UTC (valid for 90 days)
NotAfter                 : 2019-12-11 22:18:26 +0000 UTC (expires in 39 days)
KeyUsage                 : 5 (101, KeyEncipherment, DigitalSignature)
ExtKeyUsage              : ServerAuth, ClientAuth
IsCA                     : false
DNSNames                 : www.freizeitkarte-osm.de
OCSPServer               : http://ocsp.int-x3.letsencrypt.org
IssuingCertificateURL    : http://cert.int-x3.letsencrypt.org/
PolicyIdentifiers        : 2.23.140.1.2.1 (domain validation), 1.3.6.1.4.1.44947.1.1.1
SubjectKeyId             : 374cafefa428e297718071c6b6a8168bc49a4b02
AuthorityKeyId           : a84a6a63047dddbae6d139b7a64565eff3a8eca1

CERTIFICATE DETAILS ...
SignatureAlgorithm       : SHA256-RSA
PublicKeyAlgorithm       : RSA
Version                  : 3
SerialNumber             : 13298795840390663119752826058995181320
Subject                  : CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
Issuer                   : CN=DST Root CA X3,O=Digital Signature Trust Co.
NotBefore                : 2016-03-17 16:40:46 +0000 UTC (valid for 1826 days)
NotAfter                 : 2021-03-17 16:40:46 +0000 UTC (expires in 501 days)
KeyUsage                 : 97 (1100001, CRLSign, CertSign, DigitalSignature)
IsCA                     : true
OCSPServer               : http://isrg.trustid.ocsp.identrust.com
IssuingCertificateURL    : http://apps.identrust.com/roots/dstrootcax3.p7c
CRLDistributionPoints    : http://crl.identrust.com/DSTROOTCAX3CRL.crl
PolicyIdentifiers        : 2.23.140.1.2.1 (domain validation), 1.3.6.1.4.1.44947.1.1.1
SubjectKeyId             : a84a6a63047dddbae6d139b7a64565eff3a8eca1
AuthorityKeyId           : c4a7b1a47b2c71fadbe14b9075ffc41560858910
1 Like

Why would Let’s Encrypt add a CRLDistributionPoints field when the do not operate an CRL for their leaf certificates?

3 Likes

You are right. This feature request doesn’t makes sense and can be closed.

2 Likes

That CRL is used to verify the status of the intermediate certificate, and since Let’s Encrypt (currently) only operates OCSP for leaf certificates, there’s no need to use CRL (since it won’t be accessible because nothing is running it)

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.